Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
610
Views
0
Helpful
1
Replies

Allow to access ssl vpn just from specific network

Tomas Fidler
Level 1
Level 1

‎12-05-2011 05:23 AM

Hi,

I want to limit from where users are able to access our ssl vpn (anyconnect VPN). So I wana to specify "allowed remote IP address of the client".

For example to allow "just from Europe" access (suppose I know IPs used in Europe).

Does somebody know how to do that?

For us it is considered unsecure to allow to open anyconnect VPN just from everywhere.

Labels:
0 Helpful
1 Reply 1

Herbert Baerten
Cisco Employee
Cisco Employee

‎12-08-2011 12:04 PM

Hi Tomas,

you can do this in several ways but the easiest is probably to configure a control-plane acl on the ASA. This limits the traffic to the box (as opposed to the interfce ACLs which only filter traffic through the box).

Can't find a good reference right now but if memory serves me well it would be something like

access-list FOO permit tcp 10.0.0.0 255.0.0.0 interface outside 443

access-group FOO in interface outside control-plane

note that if you want to allow IPsec, ping, ssh, ASDM etc from the outside then you will have to explicitly allow that in this ACL as well

hth

Herbert

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents